last changes 08/22/2022
CMMC Compliance Levels
Due to the changes made between CMMC 1.02 and the current CMMC 2.0, we will no longer refer to the levels as CMMC Certification Levels but rather as CMMC Compliance Levels.
If you are wondering which of the now three CMMC Compliance Levels your company will be required to conform with: The CMMC level mandated will be stated in the contract information. As a subcontractor, your prime will inform you. The majority of contracts will require Level 1 or Level 2 compliance.
As a general rule:
- If your contract is only for Commercial Off the Shelf products then CMMC does not apply to you.
- If your company will receive exclusively Federal Contract Information (FCI) under the contract, then you will need a CMMC Level 1 implementation and submit an annual self-assessment.
- However, if your organization will receive Controlled Unclassified Information (CUI) in addition, then CMMC Level 2 compliance will be required as a minimum. At this level, the subset of contractors managing information critical to national security will go through a 3rd-party assessment. Those organizations that do not handle any information critical to national security will be allowed to perform and submit an annual self-assessment. At the time of writing the guidance on how exactly this will be determined has not been released yet.
Overview
The main purpose of the CMMC model is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the DoD through acquisition programs. The type of information (FCI vs CUI) an organization handles determines the CMMC compliance level it will need to achieve.
Under the new CMMC 2.0 Compliance Rules, there will be only three CMMC compliance levels. The levels 2 and 4 from CMMC 1.02 have been eliminated to simplify the CMMC Program.
CMMC Level 1 Requirements (Foundational):
CMMC Level 1 is the base level of compliance and consists of practices that correspond to basic safeguarding requirements in Federal Acquisition Regulation (FAR) clause 52.204-21. This lowest level consists of 17 basic cyber security practices such as implementing Identity and Authentication and basic Access Controls.
Level 1 is all about protecting Federal Contract Information (FCI) and will be required for anyone who obtains a DoD contract but does not produce solely Commercial Off the Shelf products. The vast majority of DOD contracts will require this level of compliance. In terms of requirements there have been no changes as compared to CMMC 1.02.
Under CMMC 2.0 Compliance Level 1 there will be no certification assessment by a 3rd party required as this level does not involve sensitive national security information. Instead, the contractor will be required to conduct a self-assessment on an annual basis. These annual self assessments will have to be accompanied by an affirmation from a senior company official that the company is meeting requirements and who will be liable under the False Claims Act.
The DoD intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS). Self-Attestations can be audited at anytime by the DoD.
CMMC Level 2 Requirements (Advanced):
This is the former CMMC Level 3 under the previous CMMC 1.02 version.
At CMMC Level 2 the focus is on protecting CUI, fleshing out the base security practices established in Level 1, and increasing the overall security of the organization. CMMC Level 2 compliance will require that the organization is compliant with all the security requirements in NIST SP 800-171 which are a total of 110 practices. There is also discussion if the additional 61 Non-Federal Organization (NFO) controls mentioned in Appendix E of NIST SP 800-171 will also apply. However, the DoD has made it clear that the later would not be assessed.
In terms of control requirements the CMMC 2.0 Level 2 is mirroring the existing DFARS 252.204-7012 and -7019 rules which took effect 12/31/2017 and 11/30/2020, respectively. Different are the PoA&M and assessment requirements.
If your organization handles both – FCI and CUI – you will have to meet CMMC Level 2 requirements or higher. This is why we expect this to be the second most – if not most frequently mandated maturity requirement of all CMMC Compliance Levels. The vast majority of our existing clients are required to comply with CMMC Level 2 requirements.
When it comes to assessments, CMMC Level 2 is split:
- A small subset of contracts with Level 2 (“Advanced”) requirements but that do not involve information critical to national security will require the associated organizations to conduct self-assessments as under CMMC Level 1. However, the DoD clarified recently (February 2022) that after further review it determined that this will be only a very small number of companies.
- For the majority of contracts under CMMC Level 2, contractors will be required to obtain a CMMC Third Party Assessment Organizations (C3PAO) which will be accredited by the Cyber AB (former CMMC-AB) which is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) Ecosystem and the sole authorized non-governmental partner of the DoD in implementing and overseeing the CMMC conformance regime.
CMMC Level 2 is a considerable step up from the level 1 which impacts both, timeline and cost. For an overview of the CMMC implementation process with time estimates for a CMMC Level 2 implementation see here.
CMMC Level 3 Requirements (Expert):
This level combines the former CMMC Levels 4 and 5 of the previous CMMC 1.02 iteration.
If an organization is required to achieve Level 3 certification then the main focus shifts to enhancing the organization’s effectiveness of protecting CUI from Advanced Persistent Threats (APTs). While it does not have as many new practices to implement as Levels 2 does, the practices listed are much more complex and time consuming to both implement and maintain. CMMC Level 3 will require that an organization review and measure practices for effectiveness as well as implement a subset of enhanced security practices from NIST SP 800-172 requirements on top of those required for Level 2.
Ecuron estimates that less than 600 companies will be required to become CMMC Level 3 compliant. Organizations in this level will be assessed by government officials. Assessment requirements are currently under development.
How to Become CMMC Compliant:
As a CMMC Registered Practitioner Organization™ (CMMC-RPO), Ecuron can perform pre-assessment services which include CMMC Gap Analysis, CMMC Implementation Help, CMMC Pre-Assessment. We do not conduct the final CMMC Assessments.
We offer CMMC Consulting Services to get you CMMC compliant in 4 Steps:
- CMMC Gap Analysis / CMMC Gap Assessment
See where your organization stands and what it takes to achieve compliance - CMMC Implementation Help
Based on the results of the first phase we will help you to close existing gaps by implementing suitable controls and any missing requirements. This includes developing and writing the extensive documentation required. - CMMC Pre-Assessment
Think of it as a mock audit. We will verify that everything is in place, mature, and can be proven to an auditor. If we find issues we will help you fix them. Once we are confident that you are ready for the CMMC Assessment we will recommend to schedule the actual audit. - CMMC Assessment Support
If you are required to become assessed by a 3rd party, we help you prepare for the final CMMC assessment, gather & organize evidence for a smooth assessment by the C3PAO. We will be at your side throughout the process.
For a general overview of the CMMC compliance process and rough time estimates see this flowchart.
If you would like to speak to our team to discuss your CMMC requirements and schedule a complimentary 15-30 min consultation, email us at cmmc@ecuron.com or give us a call.
Join Our CMMC Notification List
Sign up below and we will notify you about CMMC related news, updates, and services.